However, I still advise you to scroll over to the disinfection or removal section. Any questions, feel free to leave a comment, or contact me on Twitter.

Analysis

So, what happens when you visit the CrunchyRoll website? Curently, you get a message the website has encountered an error:

Figure 1 – CrunchyRoll error page

Earlier today, the CrunchyRoll website was showing the following:

While the CrunchyRoll team claims it was a DNS hijack, I have (so far) found no evidence as to the validity of this claim, and it rather appears someone was able to hack the website.

Either way, while this is bad, CrunchyRoll took swift action by taking down the website, and an investigation is under way.

What happens if you click the ‘Download now’ button? A new file, called CrunchyViewer.exe, will be downloaded from the following IP address:

109.232.225[.]12

This IP appears to have hosted fake antivirus software or similar in the past:

Figure 3 – Older resolutions (2010)

The newly download file is seemingly the legitimate CrunchyViewer or Crunchyroll, but, near the end of the file, there is a chunk of Base64 encoded data appended, as seen in Figure 4:

Figure 4 – base64 encoded data (click to enlarge)

Using a Base64 decoder, we get a new file, called svchost.exe. This binary will place a copy of itself in the current user’s %appdata%roaming folder, for example:

C:UsersYourusernameAppDataRoamingsvchost.exe

This file will periodically call to its C2, or command-and-control server, and wait for any commands:

145.239.41[.]131

Currently, it does not appear the C2 responds on that specific port (6969), however, it is online.

There are claims the malware will additionally install ransomware – I have not observed this behaviour, but it is definitely possible once the C2 sends back (any) commands. More likely, it is a form of keylogger – malware that can record anything you type, and send it back to the attacker.

Svchost.exe will also create an autorun entry:

Figure 5 – newly created run key (click to enlarge)

This basically means the malware will start every time you (re)boot or restart the machine.

Just for fun, it appear that the miscreant’s name, or the person responsible for creating the malware is named Ben, as appears from the debug paths:

C:UsersBenDesktoptaiga-developbinDebugTaiga.pdb

c:usersbensourcerepossvchostReleasesvchost.pdb

Taiga is ‘A lightweight anime tracker for Windows’. This does not mean they are involved, but rather that ‘Ben’ has decided to include Taiga in the package.

Note that there needs to be at least a space between 127.0.0.1, and the address you want to block.

Conclusion

This hack shows that any website or organisation is, in theory, vulnerable to someone hijacking the website, and consequently download and install malware on a user’s machine.

While it is uncertain what exactly happened, CrunchyRoll took correct action by taking the website down not too long after. At this point, it is best to monitor their Twitter account, and/or wait for an official statement.

If you have not executed the file, you should be safe. Simply delete the downloaded file.

Note that I can’t speak for any second-stage payload that may have been downloaded in the early stage of the attack – however; when I investigated shortly after, I didn’t observe any secondary malware.

Follow the prevention tips above to stay secure. Any questions or feedback? Feel free to leave a comment, or reach out to me on Twitter.